Taft summer associate Jordan Jennings-Moore contributed to this article.
In today’s world, very few people remain completely unscathed by a data breach somewhere. From Target, to Anthem, Wendy’s or Equifax, individuals across the country have grown accustomed to getting breach notification letters. Most recently, Alabama and South Dakota became the last two jurisdictions in the United States to adopt data breach notification laws. This means that any person or entity conducting business in the U.S. must be prepared to protect personal identifying information (PII) belonging to customers, clients, and employees.
Encryption is an easy way to protect PII. It wasn’t always that way, but technologies have made it easier and cheaper to do. And this has legal benefits. A common trend seen amongst all U.S. jurisdictions is an encryption exception to providing notice of a data breach. Why? Well, because encrypted data is not “personal data.” Therefore, loss of encrypted data is often not a “breach” under the law. Encryption saves you time, your reputation and thousands, if not millions, of dollars. That’s huge.
During her time at Taft, our Dayton summer associate Jordan Jennings followed the trends of data breach notification laws and worked with me on updating our materials to reflect the ever changing world of state privacy and security law (i.e. California). I asked her to pitch in on this update and report on some of her findings below. (Spoiler alert: encryption is a pretty big deal.)
What does Encrypted Data Actually Mean?
Most jurisdictions define encryption as an algorithmic process used to transform data into a form that is rendered unreadable or unusable without use of a confidential process or key. In plain terms, encrypted data codes and scrambles information so that it can only be viewed by those authorized to see it. Here are examples of a few states definition of encryption:
- “Encryption”. — The use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without use of a confidential process or key. (N.C. Gen. Stat. § 75-61(14).)
- [Personal Information] does not include information that is encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable. (§ 501.171(1)(g)(2), Fla. Stat.)
- “Encrypted” means the transformation of data through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without the use of a confidential process or key, or the securing of the information by another method that renders the data elements unreadable or unusable. (Va. Code Ann. § 18.2-186.6(A))
How does Encryption Help My Business?
The purpose of encrypting PII is to mitigate the risk of a data breach. Breaches are costly, destroy business reputations and can lead to serious legal repercussions. Handling the consequences of a data breach can be a lengthy battle. As lawyers, we are here to help, but why risk the consequences of a data breach when you can prevent the incident from occurring?
Is Encryption an Absolute Fail Safe?
Although the unauthorized acquisition of encrypted data does not constitute a breach, encryption is not an end-all solution. If an unauthorized individual manages to obtain the encrypted data along with the encryption key, an entity may still be liable for a data breach despite its efforts to encrypt all personal information. That is why, before deciding to notify or not notify, it is best to consult counsel to determine your duties (if any) based on the relevant jurisdiction. (Oh, and that may include the European Union too.)
From coast to coast, states require entitles to safeguard their data, and every state has similar, but different, definitions as to what data must be protected. As you learned a few weeks ago, California just introduced yet another privacy law. However, each state agrees that encrypted data, without the key, will not trigger breach notification duties. The best practice for any company is to know what data they collect and where that data is located. After completing that step, companies should encrypt data in accordance with risk exposure and develop a secure protocol for handling the encryption key. By taking these measures, only individuals who possess the encryption key can assess the information, and the likelihood of a breach diminishes.
No matter where you conduct business in the United States, you will now be subject to a breach notification law. Encryption is a powerful tool to avoid meeting a particular state’s definition of a “breach,” and should therefore be worthy of investment. Encryption is key (pun intended). Encrypt your personal and sensitive data. Don’t be too big for your breaches.